The ModSecurity web application firewall (WAF) engine is set to go end-of-life (EOL) on 1 July 2024.
What happens after July 2024? What does this mean for Loadbalancer.org? More importantly, what does this mean for you? These are questions we've been asked several times, so we wanted to collect our thoughts in one place to share and to signpost people to, and hopefully assuage any fears you might have.
First off: What is a WAF?
A web application firewall, or WAF, is a defensive security measure for monitoring and blocking web traffic. A WAF adds an important layer of security to web applications and prevents your web services from being low-hanging fruit for attackers. Anyone running a web application should have a WAF sitting in front of it.
At Loadbalancer.org, we offer an integrated WAF as part of our load balancer appliance to protect your web applications. We've written extensively about this in the past (for details, check out the WAF category on our blog and refer to the WAF chapter in our Administration Manual.)
At its core, a WAF is made up of two component parts:
A WAF engine doesn't do much by itself. You need rules to run on top of an engine. The rules provide the logic of how to inspect web traffic in a meaningful way, while the engine powers that inspection by providing the necessary tools and functionality.
For the rules part, we use the OWASP ModSecurity Core Rule Set: the de facto set of free and open source WAF rules used around the world. The Core Rule Set (CRS) is a flexible, generic set of attack detection rules which look for bad behaviors and unusual, anomalous activity.
For the engine part, we use ModSecurity.
What is ModSecurity?
If the Core Rule Set is the de facto set of open source WAF rules, then ModSecurity is the de facto open source WAF engine. It's widely used, it's been around for over two decades, and it's available as a package for all the mainstream Linux distributions.
ModSecurity started out life as a free and open source project back in 2002. In 2006, it was acquired by a commercial security company which in 2010 was acquired by the security provider Trustwave, who currently control ModSecurity.
Back in 2021, Trustwave announced their intention to sunset ModSecurity in July 2024. ModSecurity will return to being an open source software project and will belong to the free software community once again.
What happens after July 2024?
Nothing will dramatically change after Trustwave's commercial end-of-life date for ModSecurity. Trustwave's decision just means the end of commercial support and commercial development.
In terms of ModSecurity development, since about 2018, the development focus seems to have been on fixing bugs and security vulnerabilities only. There haven't been big new features for a long time. ModSecurity has essentially been in ‘maintenance mode’ for a number of years.
For whatever reason, Trustwave haven't properly resourced or pushed the development of ModSecurity for many years. This was likely due to a changing business model, as they've moved to focus their business on managed security services and consultancy. Considering the fact that ModSecurity has been the only real WAF player in the free software sphere, it's a shame that Trustwave never managed to make a viable, sustainable commercial WAF offering out of it.
Crucially, commercial end-of-life does not mean a dead project. On the contrary, ModSecurity is still widely used. Each month sees the release of new ModSecurity + CRS tutorials and content, and community members continue to ask questions and share thoughts about ModSecurity, CRS, and how they're using these tools, both personally and professionally.
With ModSecurity returning to its roots and becoming an open source community project, I'm confident that the community can once again fix any critical issues and bugs as and when needed. I personally know people who have the skills and inclination to do this. You probably won't see big new features appearing, but, unfortunately, that hasn't been the case for many years at this point, so that's likely to stay the same.
It's important to mention that if ModSecurity were a piece of proprietary software then the situation would be bad, and everyone using it would be out of luck! A proprietary product goes end-of-life and that's that: "goodbye and good luck", or "now buy our new product for $$$" (I immediately think of Microsoft TMG and its happy, loyal customers who would rather not have had to scramble to find a replacement for it). The power of free and open source software, on the other hand, means that ModSecurity can continue to have a long life: it can be forked, adapted, and used forever, or at least as long as people find it useful and relevant.
There are a lot of companies, individuals, and products that are wedded to ModSecurity, relying on it to power their WAFs or WAF offerings, so it simply isn't going to disappear any time soon. In particular, shortly after Trustwave's end-of-life announcement, ModSecurity vendor Atomicorp publicly affirmed their commitment to supporting ModSecurity “for the foreseeable future” after Trustwave's departure, as the engine forms a fundamental part of their product offering.
And there are many others, too: ModSecurity is simply too widely used to disappear.
What other options and engines are available?
The up-and-coming Coraza WAF engine is noteworthy. It's a new WAF engine written in Go and it recently became an official OWASP project. The big stumbling block right now to Coraza adoption is that it isn't a drop-in replacement for ModSecurity, as Coraza doesn't currently work with Apache or Nginx.
The project is currently advertising for a developer to write an Nginx connector, and there's talk of a potential WASM-based Apache solution, so watch this space: Coraza could become a logical successor to ModSecurity one day in the future.
ModSecurity is not dead. July 2024 is merely the end of commercial support and development.
You're only really affected by the commercial end-of-life if you're a paying Trustwave customer. (If that's you then you'll have been aware of all this for over 18 months, now, ever since Trustwave's announcement back in August 2021. Hopefully, you'll have been planning your next steps for quite some time at this point.)
The future is open for innovation and new projects, like the Coraza WAF, and there's exciting work happening in that direction. To quote CRS co-lead Christian Folini: “We are not sailing away from the ModSecurity island just yet, but we are helping to build a new ship.”
The ModSecurity project remains widely used and is still the only established, production-ready free and open source WAF engine. When the project returns to the hands of the free software community in July 2024, the individuals who report issues, fix vulnerabilities, and package ModSecurity for the rest of the world to use will continue to do so. It will be the start of the next chapter for ModSecurity, not the end of the story.